A Practical Approach to Risk Assessment

and Risk Reduction

Presented by
Richard Harris

Omron STI 2012

Todays Learning Objectives

What is a risk assessment and why do I have to do it?

Who can do a risk assessment?
How do I do it?
What is the difference between risk assessment and risk
reduction?
What tools are available?

Omron STI 2012

What is it?
Risk Assessment
The process by which the intended use (and reasonably
foreseeable misuse) of the machine, the tasks and hazards, and
the level of risk are determined
Risk Reduction
The application of protective measures to reduce the risk to a
tolerable level

Omron STI 2012

Why do it?

To create a safer working environment for employees (as required by OSHA)

To reduce costs
To comply with national and international consensus standards, including:
ANSI B11.0-2010 Safety of Machinery General Requirements and Risk Assessment
ANSI B11.TR3-2000 Risk Assessment and Risk Reduction A Guide to Estimate, Evaluate and Reduce Risks Associated with
Machine Tools
ANSI/RIA R15.06-1999 (R2009) For Industrial Robots and Robot Systems Safety Requirements
NFPA 79-2012 Electrical Standard for Industrial Machinery
ANSI/ASSE Z244.1-2003 (R2008) Control of Hazardous Energy Lockout/Tagout and Alternative Methods
ANSI/PMMI B155.1-2011 Standard for Packaging Machinery and Packaging-Related Converting Machinery Safety Requirements
for Construction, Care, and Use
SEMI S10-0307 Safety Guideline for Risk Assessment and Risk Evaluation Process
MIL-STD-882D-2000 Standard Practice for System Safety
CSA Z432-04 Safeguarding of Machinery Occupational Health and Safety
CSA Z434-03 Industrial Robots and Robot Systems General Safety Requirements
CSA Z460-05 Control of Hazardous Energy Lockout and Other Methods
NOM-004-STPS-1999 Protection Systems and Safety Devices for Machinery and Equipment Used in the Workplace
ISO 12100:2010 Safety of machinery General principles for design Risk assessment and risk reduction
EN 954-1:2000 / ISO 13849-1:1999 Safety of machinery Safety-related parts of control systems Part 1: General principles of
design
ISO 13849-1:2006 Safety of machinery Safety-related parts of control systems Part 1: General principles of design
2006/42/EC European Machinery Directive

Omron STI 2012

How do I do it?
Regardless of which standard you follow, the process
contains 12 essential steps
You can create your own process, as long as its
based on industry best practices
You can conduct the process in house, request it from
your OEM, or contract an outside service provider

Omron STI 2012

Identify Machine / Process

Usually done in reaction to an accident / near miss that
has already occurred
Think Proactive!
Can be prioritized based on common sense (more
hazardous machines first)
Based on hazards and/or frequency of use

Omron STI 2012

Step 1

Collect Proper Information

Limits of the machine
Requirements for the lifecycle of the machine
Design drawings, sketches, system descriptions, or other means
of establishing the nature of the machine
Information concerning energy sources
Any accident and incident history
Any information about damage to health
System layout and proposed building / existing system(s)
integration
Affected personnel
Level of training, experience, or ability of all personnel
Exposure of other persons to the hazards associated with the
machine where it can be reasonably foreseen

Omron STI 2012

Step 2

Gather Proper Personnel

EHS manager
Operators
Maintenance personnel
Engineers
Electricians
Production managers
Specialists
Use

Omron STI 2012

approach

Step 3

Observe Machine in Use

Although many machines are
similar in design, they are
adapted to perform specific or
different operations
The best way to understand
the operation and maintenance
of a machine is to see it in use
This helps ensure safety and
compliance while understanding
and meeting productivity needs

Omron STI 2012

Step 4

Identify Hazardous Areas

Follow task/hazard approach
Tasks include:
Packing and transporting
Unloading/unpacking
Systems installation
Start up/commissioning
Set up and try out
Operation (all modes)
Tool change
Major repair

Planned maintenance
Unplanned maintenance
Recovery from crash
Troubleshooting
Housekeeping
Decommissioning
Disposal

Omron STI 2012

Step 5

Task / Hazard Approach

Personnel

Task

Operator
Maintenance
Trainees
Passers-by
Managers
Supervisors
Programmers
Engineers
Office Personnel
Quality Coach
Sales Personnel
Contractors
Riggers

Omron STI 2012

Hazard

Task / Hazard Approach

Personnel

Task

Operator

Load

Operator

Unload Part

Operator

Unload Scrap

Operator

Cycle

Operator

Lube Die

Operator

Clean Die

Operator

Tape Die

Operator

Power Up

Operator

Power Down

Operator

Clean Press

Operator

Clean Workspace

Operator

Teach Trainees

Maintenance

Change Die

Maintenance

First Piece Verification

Maintenance

Preventative Maintenance

Maintenance

Recovery from Crash

Omron STI 2012

Hazard

Task / Hazard Approach

Personnel

Task

Hazard

Operator

Load

Shearing

Operator

Load

Cutting or Severing

Operator

Load

Stabbing or Puncturing

Operator

Load

Contact with Live Parts

Operator

Load

Reaction to Stainless Steel

Operator

Load

Failure of the Control System

Operator

Load

Failure of the Equipment

Operator

Load

Slip, Trip, or Fall

Operator

Load

Falling Objects

Operator

Load

Ejected Objects or Fluids

Operator

Unload Part

Crushing

Operator

Unload Part

Shearing

Operator

Unload Part

Cutting or Severing

Operator

Unload Part

Contact with Live Parts

Operator

Unload Part

Reaction to Stainless Steel

Operator

Unload Part

Failure of the Control System

Omron STI 2012

Identifying Tasks & Hazards

ANSI B11.0-2010
Identifying tasks and hazards is a critically important part of the risk assessment
process because hazards not identified can create substantial unknown risks. There
are many different approaches to identifying hazards. Depending on the complexity of
the machinery, useful methods may include but are not limited to:
using intuitive operational and engineering judgment;
examining system specifications and expectations;
reviewing codes, regulations, and consensus standards;
interviewing current or intended system users and/or operators;
consulting checklists;
reviewing studies from other similar systems;
evaluating the potential for unwanted energy releases/exposures to hazardous environments;
reviewing historical data/industry experience, incident investigation reports (including accident or near-miss
events), OSHA, Bureau of Labor Statistics and National Safety Council data, manufacturers literature;
considering potential mishaps with surrounding equipment and operations;
brainstorming.

Omron STI 2012

Assumptions
The risk assessment process includes identifying hazards
regardless of the existence of risk reduction (safeguarding)
measures.
The machine should not be considered harmless as shipped and
guarded.
To assure that all hazards are included, hazard identification
should be conducted with all safeguards conceptually removed.
This is to assure that hazards are not ignored due to an assumption that the safeguard
supplied is adequate for all tasks, including reasonably foreseeable misuse.

Existing safeguards that help meet the risk reduction objectives

can be retained after evaluating their performance.
This decision will be confirmed during the validation/verification portion of the risk
assessment.
Omron STI 2012

Identify the Risk Level and Required Level of Risk

Reduction
There are several recognized methods to identify (label)
risk levels
ANSI, RIA, CSA, EN, ISO

Choose the method which is easiest and most practical to

apply at your location
Risks must be aligned to a risk reduction category that
incorporates the selection of safeguarding devices and
safety-related parts of the control system

Omron STI 2012

Steps 6 & 7

ANSI B11.TR3

7.2 Severity of harm

Severity of harm addresses the degree of injury or illness that could occur. The
degrees are based on extent of injury or illness (from death to no injury), and
extent of treatment involved. The following is an example of severity levels:

Catastrophic death or permanently disabling injury or illness (unable to return to work)

Serious severe debilitating injury or illness (able to return to work at some point)
Moderate significant injury or illness requiring more than first aid (able to return to same job)
Minor no injury or slight injury requiring no more than first aid (little or no lost work time)
When determining risk, the worst credible severity of harm is to be selected.

7.3 Probability of occurrence of harm

Probability of occurrence of harm is estimated by taking into account the
frequency, duration and extent of exposure, training and awareness, and the
presentation of the hazard. The following is an example of probability levels:

Very likely near certain to occur

Likely may occur
Unlikely not likely to occur
Remote so unlikely as to be near zero
When estimating probability, the highest credible level of probability is to be selected.

Omron STI 2012

ANSI B11.TR3

Severity Level
Probability

Catastrophic

Serious

Moderate

Minor

Very Likely

High

High

High

Medium

Likely

High

High

Medium

Low

Unlikely

Medium

Medium

Low

Negligible

Remote

Low

Low

Negligible

Negligible

Table 1: Risk Determination Matrix

Omron STI 2012

ANSI B11.TR3

Safeguards providing the highest degree of risk reduction are:

Safeguards providing high / intermediate risk reduction are:

Barrier guard or protective device preventing unintended exposure of any part of the body to the hazard, and not
removable or adjustable by unauthorized persons. If moveable, such a barrier should be interlocked using system control
criteria as defined in this paragraph.
Physical devices that do not require adjustment for use or other operator intervention.
Control systems having redundancy with self-checking upon startup to ensure the continuance of performance.

Safeguards providing low / intermediate risk reduction are:

Barrier guard or protective device preventing intentional exposure of any part of the body to the hazard, and secured
with special fasteners or a lock. If moveable, such a barrier should be interlocked using system control criteria as defined in
this paragraph.
Control systems having redundancy with continuous self-checking to ensure the continuance of performance.

Barrier guard or protective device providing simple guarding against inadvertent exposure to the hazard. Examples are
a fixed screen, chuck guard, or moveable barrier with simple interlocking using system control criteria as defined in this
paragraph.
Physical devices that require adjustment for use.
Control systems (including associated protective devices, actuators and interfaces) having redundancy that may be
manually checked to ensure the continuance of performance.

Safeguards providing the lowest degree of risk reduction are:

Physical barrier providing tactile or visual awareness of the hazard, or minimal protection against inadvertent exposure.
Examples are post and rope, swing-away shield, or moveable screen.
Electrical, electronic, hydraulic or pneumatic devices and associated control systems using a single-channel configuration.

Omron STI 2012

ANSI/RIA R15.06
Table 1
Factor
Severity

Exposure

Avoidance

Category

Criteria
Normally Irreversible; or fatality; or requires more than first-aid as
S2 Serious Injury
defined in OSHA 1904.12
Normally reversible; or requires only first-aid as defined in OSHA
S1 Slight Injury
1904.12
Frequent
Typically exposure to the hazard more than once per hour.
E2
Exposure
Infrequent
Typically exposure to the hazard less than once per day or shift.
E1
Exposure
Cannot move out of the way; or inadequate reaction time; or
Not Likely
A2
robot speed greater than 250mm/sec.
Can move out of the way; or sufficient warning/reaction time; or
A1
Likely
robot speed less than 250mm/sec.
Table 1 - Hazard Severity/Exposure/Avoidance Categories

Omron STI 2012

ANSI/RIA R15.06
Table 2
Avoidance Risk Reduction Category
Exposure
E2 Frequent
A2 Not Likely
R1
S2 Serious Injury
A1 Likely
Exposure
R2A
More than
E1 Infrequent
A2 Not Likely
R2B
First-aid
A1 Likely
Exposure
R2B
E2 Frequent
A2 Not Likely
R2C
A1 Likely
Exposure
S1 Slight Injury
R3A
First-aid
A2 Not Likely
R3B
E1 Infrequent
A1 Likely
Exposure
R4
Table 2 - Risk reduction decision matrix prior to safeguard selection

Severity of Exposure

Omron STI 2012

ANSI/RIA R15.06
Table 3
Category
R1
R2A
R2B
R2C
R3A

SafeGuard Performance
Circuit Performance
Hazard Elimination or hazard substitution
Control Reliable (4.5.4)
(9.5.1)
Engineering controls preventing acess to Control Reliable (4.5.4)
the hazard, or stopping the hazard (9.5.2),
e.g. interlocked barrier guards, light
Single Channel with monitoring (4.5.3)
curtains, safety mats, or other presence
sensing devices (10.4)
Single Channel (4.5.2)
Non interlocked barriers, clearance,
procedures and equipment (9.5.3)

R3B
R4

Awareness means (9.5.4)

Single Channel (4.5.2)

Simple (4.5.1)
Simple (4.5.1)

Table 3 - Safeguard Selection Matrix

Omron STI 2012

Risk Reduction Measures

Modified Table 3
Circuit Performance
Risk
reduction
Index
R1
R2A
R2B
R2C
R3A
R3B
R4

Safeguard Performance
Hazard Elimination or hazard
substitution
Engineering controls preventing
acess to the hazard, or stopping
the hazard, e.g. interlocked barrier
guards, light curtains, safety
mats, or other presence sensing
devices

ANSI/RIA
R15.06-1999
(R2009)

ISO 10218-2
ISO 10218-1
ISO 13849-1:1999 ISO 13849-1:2006 IEC 62061:2005
Category
PL
SIL

Control Reliable

(4) 3

(e) d

(3) 2

Control Reliable

Single Channel
with Monitoring

d/c

2/1

Single Channel

n/a

Non interlocked barriers,

Single Channel
1
clearance, procedures and
Simple
b
equipment
Awareness means
Simple
b
Table 3 - Safeguard Selection Matrix

Omron STI 2012

ANSI/RIA R15.06

R1 Risk reduction shall be accomplished by hazard elimination or hazard

substitution which does not create an equal or greater hazard. When
hazard elimination or substitution is not possible, all provisions of a
category R2 risk reduction shall apply and provisions of categories R3
and R4 shall be provided for safeguarding residual risk.

R2 Safeguarding shall be by means that prevent access to the hazard, or

cause the hazard to cease. Provisions of categories R3 and R4 may be
used for safeguarding residual risk.

R3 Safeguarding, at a minimum, shall be by means of non-interlocked

barriers, clearance from the hazard, written procedures, and personal
protective equipment if applicable. Provisions of Category R4 may also
be used for safeguarding residual risk.

R4 Safeguarding, at a minimum, shall be by administrative means,

awareness means including audio/visual warnings and training.

Omron STI 2012

EN 1050 / ISO 14121

S: Severity of Potential injury
S1: Slight injury(minor cuts or bruises, requires first-aid)
S2: Severe injury(broken bone, loss of limb or death)
F: Frequency of exposure to potential hazard
F1: Infrequent exposure
F2: Frequent to continuous exposure
P: Possibility of avoiding the hazard as it occurs (generally related to the
speed / frequency of movement of the hazard and distance to the hazard
point)
P1: Possible
P2: Less possible
L: Likelihood of occurrence (in event of a failure)
L1: Very likely
L2: Unlikely
L3: Highly unlikely
Omron STI 2012

EN 1050 / ISO 14121

Omron STI 2012

EN 954-1:1996 / ISO 13849-1:1999

Category

Summary of requirements

System behaviour

B
(see 6.2.1)

Safety-related parts of control systems and/or their protective

equipment, as well as their components, shall be designed,
constructed, selected, assembled and combined in accordance with
relevant standards so that they can withstand the expected influence.

The occurrence of a fault can lead to the loss of the

safety function.

1
(see 6.2.2)

Requirements of B shall apply.

Well-tried components and well-tried safety principles shall be
used.

The occurrence of a fault can lead to loss of the

safety function, but the probability of occurrence is
lower than for category B.

2
(see 6.2.3)

Requirements of B and the use of well-tried safety principles shall

apply.
Safety function shall be checked at suitable intervals by the machine
control system.

- The occurrence of a fault can lead to loss of the

safety function between checks.
- The loss of safety function is detected with the
check.

3
(see 6.2.4)

Requirements of B and the use of well-tried safety principles shall

apply.
Safety-related parts shall be designed so that:
- a single fault in any of these parts does not lead to loss of the
safety function, and
- whenever reasonably practicable the single fault is detected.

- When a single fault occurs, the safety function is

always performed.
- Some but not all faults will be detected.
- Accumulation of undetected faults can lead to loss of
the safety function.

4
(see 6.2.5)

Requirements of B and the use of well-tried safety principles shall

apply.
Safety-related parts shall be designed so that:
- a single fault in any of these parts does not lead to loss of the safety
function, and
- the single fault is detected at or before the next demand upon
the safety function. If this is not possible, then an accumulation of
faults shall not lead to a loss of the safety function.

- When the faults occur the safety function is always

performed.
- The faults will be detected in time to prevent loss of
the safety function.

Table 2 Summary of requirements for categories

(for full requirements see clause 6)

Omron STI 2012

Principles to
achieve safety
Mainly
characterized
by selection of
components

Mainly
characterized
by structure

ISO 13849-1

RISK FACTOR

VALUE

DEFINITION

S1

Slight (normally reversible injury)

S2

Serious (normally irreversible injury or death)

Frequency and/or
Exposure to
Hazard

F1

Seldom to less-often and/or exposure time is short

F2

Frequent to continuous and/or exposure time is long

Possibility of
Avoiding Hazard
of Limiting Harm

P1

Possible under specific conditions

P2

Scarcely possible

Severity of Injury

Omron STI 2012

ISO 13849-1

Omron STI 2012

ISO 13849-1
Relationship between Categories, DCavg, and MTTFd of Each Channel and PL

Omron STI 2012

EN 954-1 vs. ISO 13849-1

Omron STI 2012

Comparison of Circuit Performance Requirements

CIRCUIT PERFORMANCE REQUIREMENTS
ANSI B11.TR3-2000
ANSI/ASSE Z244.1-2003 (R2008)
Index

High
High

Circuit Perform ance

Redundancy with
Continuous Self-Checking
Redundancy with
Continuous Self-Checking
No Equivalent

Index

Circuit Perform ance

ISO 10218-1:2007
ISO 13849-1:1999
(EN 954-1:1996)
Category

R1

Control Reliable

(4) 3

(e) d

(3) 2

R2A

Control Reliable

R2B

Single Channel with

Monitoring

d/c

2/1

ANSI/RIA R15.06-1999 (R2009)

CSA Z432-04 & Z434-03

ISO 10218:20(11?)
ISO 13849-1:2006

IEC 62061:2005

PL

SIL

Medium

Redundancy with SelfChecking Upon Startup

No Equivalent

No Equivalent

No Equivalent

No Equivalent

Low

Redundancy that may be

Manually Checked

No Equivalent

No Equivalent

No Equivalent

No Equivalent

Negligible

Single Channel

R2C

Single Channel

Negligible

Single Channel

R3A

Single Channel

R3B

Simple

R4

Simple

n/a

No Equivalent
No Equivalent

While there are similarities between the levels of risk reduction in the various columns, an exact one-to-one comparison is virtually
impossible. This chart is intended to show the comparative similarities between each standard. Where risk reduction measures depend
on configurable devices, the reliability of these devices and the system should be appropriate for the level of risk.
Omron STI 2012

Selecting Protective Measures

Commensurate with Risk Level

Omron STI 2012

Create Appropriate Risk Reduction System

Follow hierarchy of control
Elimination / substitution of the hazard
Engineering controls
Safeguarding devices (interlock switches, light curtains,
safety mats, etc.)
Electrical / pneumatic / hydraulic circuits

Awareness means (lights, signs, signals, etc.)

Training and procedures (administrative controls)
Personal protective equipment (PPE)

Omron STI 2012

Step 8

Hierarchy of Control
PROTECTIVE
MEASURE
Most Effective

Elimination
or
Substitution

Safeguarding
Technologies /
Protective Devices

Awareness Means

Least
Effective

EXAMPLES

INFLUENCE ON RISK FACTORS

Eliminate the need for

human interaction in the
process

Eliminate pinch points
(increase clearance)

Automated material handling
(robots, conveyors, etc.)

Impact on overall risk (elimination) by

affecting severity and probability of harm

Barriers

Interlocks

Presence sensing devices
(light curtains, safety mats,
area scanners, etc.)

Two hand control and two
hand trip devices

Greatest impact on the probability of harm

(occurrence of hazardous events under
certain circumstances)

Minimal if any impact on severity of harm

Potential impact on the probability of harm

(avoidance)

No impact on severity of harm

Lights, beacons, and strobes

Computer warnings
Signs and labels
Beepers, horns, and sirens

May affect severity of harm, frequency of

exposure to the hazard under consideration,
and/or the possibility of of avoiding or limiting
harm depending on which method of
substitution is applied.

Training and
Procedures

Safe work procedures

Safety equipment
inspections

Training

Lockout / Tagout / Tryout

Potential impact on the probability of harm

(avoidance and/or exposure)

No impact on severity of harm

Personal Protective
Equipment
(PPE)

Safety glasses and face

shields

Ear plugs

Gloves

Protective footwear

Respirators

Potential impact on the probabilty of harm

(avoidance)

No impact on severity of harm

Omron STI 2012

CLASSIFICATION

Design Out

Engineering
Controls

Administrative
Controls

Effectiveness of Awareness Means

Omron STI 2012

Effectiveness of Administrative Controls

Omron STI 2012

Effectiveness of PPE

Dust Mask

Face Shield

Hard Hat
Omron STI 2012

Effectiveness of PPE

Omron STI 2012

Present Risk Reduction System

The proposed system should be reviewed with the
stakeholders involved before dedicating time, money and
resources to the installation process
If the safety system installed is improperly selected or
applied for the application, the safeguards will be
bypassed and the system will be ineffective

Omron STI 2012

Accurately Estimate Implementation of the

Proposed System
It is important that the entire system be considered
Devices (interlock switches, light curtains, etc.)
Hardware (gates, posts, etc.)
Control system (safety monitoring relays, safety PLC, positive
guided relays)
Wiring (conduit, etc.)

Omron STI 2012

Step 9

Proper Installation
Proper installation is key to the reliability of the entire system
Use tried and true methods set forth by:

Applicable national, regional, and local regulations

Consensus standards
Customer specifications
Device and machine manufacturers recommendations

Use devices rated for human safety (safety-rated)

Omron STI 2012

Step 10

Guidelines for the Selection and Application of Protective Devices

According to ISO Standards

Omron STI 2012

Set Back Distance

of Barrier Guards

From ANSI B11.19-2003, Annex D

Omron STI 2012

Barrier Height and Distance

vs. Height of Hazard

Omron STI 2012

Safe Mounting Distance

DS = K (T) + DPF
Example of guarding with various object sensitivities

Ds
K (T total)

Dpf

Hazard Zone

Image from ANSI B11.19-2003

Omron STI 2012

Safety Distance (Ds) for devices with a larger value for object
sensitivity must be placed farther from the hazard than a device
with higher resolution.

Ensure Tolerable Risk is Achieved

It is important to conduct a documented risk assessment
both before and after safeguarding the machine / process
If the residual risk is not tolerable after applying
safeguards, conduct the process again

Omron STI 2012

Step 11

Zero Risk vs. Tolerable Risk

Many standards recognize
that zero risk does not
exist and cannot be
attained
However, a good faith
approach to risk
assessment and risk
reduction should achieve a
tolerable risk level
FYI: One of every 2 million deaths are caused by falling out of bed.

Omron STI 2012

What is Tolerable Risk?

Example: A moving chain in close proximity to
hands
Chain speed is 3,960 ft/min (1,207 m/min)
45 mph (72 km/h)
66 ft/sec (20 m/sec)

Is this tolerable?
If this risk is not tolerable, no chainsaw could ever be used.

Omron STI 2012

Measuring Tolerable Risk

YES NO Can all of the following questions be answered with a YES?
Have all operating conditions and all intervention procedures been taken
into account?
Has the method of hierarchy of control been applied?
Have hazards been eliminated or risks from hazards been reduced to the
lowest practical level?
Is it certain that the measures taken do not generate new hazards?
Are the users sufficiently informed and warned about the residual risks?
Is it certain that the operator's working conditions are not jeopardized by the
protective measures taken?
Are the protective measures taken compatible with each other?
Has sufficient consideration been given to the consequences that can arise
from the use of a machine designed for professional / industrial use when
it is used in a non-professional / non-industrial context?
Is it certain that the measures taken do not excessively reduce the ability of
the machine to perform its function?
Omron STI 2012

Measuring Tolerable Risk

ANSI B11.0-2010, Clause 6.7
Achieve acceptable risk
Once the residual risk has been established for each hazard, a
decision shall be made to accept the residual risk, or to further
reduce it.
Risk reduction is complete when risk reduction measures are
applied and acceptable risk has been achieved for the identified
hazards. Achieving acceptable risk shall include reducing the
likelihood of injury to a minimum. Additionally, achieving
acceptable risk shall include, at a minimum, complying with local,
regional, and national regulations.
Informative Note: In all machinery applications, some level of residual
risk exists.

Omron STI 2012

Measuring Tolerable Risk

ANSI B11.0-2010, Clause 6.7 (continued)

Achieving acceptable risk will depend on:
the application of the hierarchy of controls (6.5.1.1 through 6.5.1.6);
the feasibility of the selected risk reduction measure(s).
Informative Note 1: Risk assessment should facilitate a consistent decision making
process. Qualified personnel are particularly important in decision making about
acceptable risk.
Informative Note 2: Acceptable risk is fundamentally a decision made by each supplier or
user in the context of their own unique circumstances. The following structure is one
example of a practical application of acceptable residual risk to relevant stakeholders:
High residual risk only acceptable when all reasonable alternatives/options (risk reduction
measures) have been reviewed and formally deemed impracticable or infeasible. It is
recommended that the group performing the risk assessment seek advice from additional safety
or subject matter experts.
Medium residual risk undesirable but permissible only when all reasonable alternatives/options
(risk reduction measures) have been formally deemed infeasible.
Low residual risk usually acceptable.
Negligible residual risk acceptable.

Informative Note 3: See also, Annex F for additional information on achieving acceptable
risk.
Omron STI 2012

Close-out / Sign-off
Conduct the following before releasing the machine for
production:
Identify and document residual risk
Test for functionality
Document safe work procedures
Train personnel
Complete machine sign-off

Omron STI 2012

Step 12

Review

Image from ANSI B11.TR3-2000

Image from ANSI B11.0-2010

Omron STI 2012

The Omron STI Point System

Pages A8 & A9
Omron STI 2012

Page A10

Level of Risk

High

Cat 3-4,
Control
Reliable

Medium or
Intermediate

Cat 2, Single Channel

with Monitoring
Cat 1, ANSI
Single Channel

Low

Helps Determine
Guarding
Technology

Add up to determine level of risk

Omron STI 2012

Risk Reduction Requirements

Identified
Risk Level

High
(12+)

Medium
(7-11)

Low
(1-6)

Required Safeguard Performance

Required Circuit Performance

Definitions for ANSI/RIA R15.06-1999 (R2009)

Barrier guard or safety-rated protective device (e.g.

interlocked barrier guards, light curtains, safety
mats, laser area scanners, or other presence
sensing devices) preventing intentional
exposure of any part of the body to the hazard
by preventing access to the hazard or stopping
the hazard. The guard or device shall be
secured with special fasteners or a lock.

Control Reliable
Control reliable safety circuitry shall be designed, constructed and applied such that any
single component failure shall not prevent the stopping action of the equipment. These
circuits shall include automatic monitoring at the system level.
1)
The monitoring shall generate a stop signal if a fault is detected. A warning shall be
provided if a hazard remains after cessation of motion;
2)
Following detection of a fault, a safe state shall be maintained until the fault is cleared;
3)
Common mode failures shall be taken into account when the probability of such a
failure occurring is significant;
4)
The single fault should be detected at time of failure. If not practicable, the failure shall
be detected at the next demand upon the safety function.

Barrier guard or safety-rated protective device (e.g.

interlocked barrier guards, light curtains, safety
mats, laser area scanners, or other presence
sensing devices) preventing unintended
exposure of any part of the body to the hazard
by preventing access to the hazard or stopping
the hazard. The guard or device shall not be
removable or adjustable by unauthorized
persons. This may also include physical
devices that do not require adjustment or other
operator intervention for use.

Single Channel with Monitoring

Single channel with monitoring safety circuits shall include the requirements for single channel
and be checked (preferably automatically) at suitable intervals.
1)
The check of the safety function's) shall be performed:
a)
At machine start-up, and
b)
Periodically during operation;
2)
The check shall either:
a)
Allow operation if no faults have been detected, or
b)
Generate a stop signal if a fault is detected. A warning shall be provided if a
hazard remains after cessation of motion;
3)
The check itself shall not cause a hazardous situation;
4)
Following detection of a fault, a safe state shall be maintained until the fault is cleared.

Barrier guard or safety-rated protective device (e.g.

interlocked barrier guards, light curtains, safety
mats, laser area scanners, or other presence
sensing devices) providing simple guarding
against inadvertent exposure to the hazard.
Examples include a fixed screen, chuck guard,
or moveable barrier. This may include
physical devices that require adjustment for
use.

Single Channel
Single channel safety circuits shall:
1)
Include components which are safety-rated;
2)
Be used in compliance with the manufacturers recommendations and proven circuit
designs (e.g. a single channel electromechanical positive break device which signals a
stop in a de-energized state.)

Omron STI 2012

Key elements of a useful safeguarding

assessment and risk reduction report

Omron STI 2012

Sample Assessment Report With Usable Information

Omron STI 2012

Executive Summary

Omron STI 2012

Machine Detail Page 1

Omron STI 2012

Machine Detail Hazard Zones

Omron STI 2012

Machine Detail Risk Reduction

Recommendations

Omron STI 2012

Commercially Available Risk Assessment

Software Packages
CIRSMA (Corporate Industrial Risk and Safety
Management Application) by Industrial Safety Integration
www.cirsma.com
Designsafe by design safety engineering
www.designsafe.com
RiskSafe by Dyadem
www.dyadem.com

Omron STI 2012

Lets review
What is a risk assessment and why do I have to do it?
A comprehensive evaluation of the hazards associated with a
machine.
It must be repeatable and documented

Do it to insure compliant risk reduction

Who can do a risk assessment?
A qualified vendor or in-house resources
How do I do it?
Follow the 12 step process

Omron STI 2012

Lets Review
What is the difference between risk assessment and risk
reduction?
Risk Assessment identifies the hazards and exposure
Risk Reduction applied safeguards and processes to mitigate the
risks identifeid
What tools are available?
There are a wealth of third party software products
None do the job for you, you must have expertise

Omron STI 2012

Questions?

Omron STI 2012